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Abstract 



Over the last few years, many enterprise customers have adopted directory services for managing 
their information technology (IT) resources deployed across the IT environment. A directory service is 
an effective way to address security issues and reduce management costs in the IT environment. 

This white paper illustrates the commitment HP has in the directory services arena by enabling 
directory service support on all of its industry-leading remote management products. This paper 
discusses the benefits of managing user authentication and authorization for the management 
processors in existing directory-enabled IT environments. This integration with directory services 
improves efficiency by allowing IT managers to configure and maintain their iLO, RILOE, and RILOE II 
user accounts in a central, scalable database. 

Readers should have a familiarity with directories and their organization as well as a general 
understanding of existing HP remote management products. Acronyms are used for the remote 
management products discussed in this white paper, such as: 

• Integrated Lights-Out (iLO) 

• Remote Insight Lights-Out Edition (RILOE) 

• Remote Insight Lights-Out Edition II (RILOE II) 

When this white paper refers to all three remote management products, they are called management 
processors (MPs). 

Remote management products 

HP continues to set the standard for platform manageability by providing built-in capabilities and 
industry-leading remote management tools. By using the following HP products, IT personnel can 
effectively manage their assets and reduce total cost of ownership. 

• iLO Standard provides essential Lights-Out management features as standard components of the 
ProLiant server and is upgradeable to the Integrated Lights-Out Advanced feature. For directory 
service support, IT personnel must upgrade to iLO Advanced. 

• iLO Advanced offers advanced virtual administration features for ultimate control of servers in 
dynamic data center and remote locations. Version 1 .40 of the iLO firmware contains support for 
directory services, in addition to Graphical Remote Console and Virtual Media. 

• RILOE provides cost-effective remote server management in corporate data centers and remote sites. 
Version 2.50 of the RILOE firmware contains support for directory services. 

• RILOE II provides significantly faster graphical remote console performance, a larger local user 
database, and new Virtual Media features. Version 1 . 1 0 of the RILOE II firmware contains directory 
service support for user authentication and authorization. 

Visit the HP Lights-Out Management website at www.hp.com/servers/lights-out for more information 
on these products. 
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Business needs 



The complexities of network environments drive companies to implement directory services to manage 
users and resources across multiple operating systems, mission-critical applications, networks, web 
services, intranet services, and extranet services. In today's IT environments, the number of directory- 
based applications is rapidly increasing. 

Businesses that succeed in today's market require greater capabilities than those of conventional 
networks. Uptime is the key to a customer's business strategy. With limited IT staff and resources, 
attended ('in-front-of-the-server') operations are expensive, time-consuming, and inflexible. This 
dilemma intensifies as IT groups increase the number of deployed systems. IT managers demand 
solutions that can be easily installed and deployed, commonly managed, able to run in a 24x7 
environment, scale to meet their growing business needs, and protect confidential data. 

Customer environment 

For customers with distributed remote sites and space-constrained data centers, the HP Lights-Out 
products address numerous challenges IT administrators are facing today. Some of the common 
concerns and/or requirements are: 

• Limited IT staff with increasing number of deployed servers 

• Increasing number of massively distributed (global) deployments 

• Servers physically located at different locations while IT groups are centralized (customer preference 
is to diagnose-before-dispatch). 

• Standard configuration/deployment/management required across all servers 

• Scalability for configuration and maintenance is important to improve the overall efficiency of IT 
operations 

• Access and authorization to IT resources via directory services improves security 

• Response time is key to server issues 

• Return on investment (ROI) with purchasing rack-based monitors, keyboards, plus CD-ROM and 
diskette drives in every server 

• Cabling issues due to increasing server density 

• Increase security for servers and data centers located remotely 

• Increase uptime and decrease downtime on servers 

Benefits 

Directory-enabled environments provide the solutions large and small businesses are demanding. By 
integrating directory support into the Lights-Out management products, HP can help improve the 
scalability for configuration and maintenance and dramatically improve the overall efficiency of IT 
operations. With these products installed, IT managers can increase the Return on Invested Capital 
(ROIC) by: 

• Ease of management (one place to manage users and devices) 

- Using a common user database 

- Using previously established local accounts (users and groups) 

- Using a familiar interface - Microsoft's Active Directory Users and Computers and Novell's 
ConsoleOne 

• Leveraging existing infrastructure and investment in the directory service 
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• Improving security 

- Providing stronger authentication and auditing of user restrictions ■ including time and Internet 
Protocol (IP) address restrictions 

- Using a central network identity 

- Instantly updating user access changes across all enabled devices 

- Encrypting communication with devices by using Security Sockets Layer (SSL) 

• Increasing scalability and expandability 

Businesses want to grow without interruption. The directory-enabled support is available as a software 
upgrade to existing Lights-Out management products. No hardware changes or upgrades are 
required to add directory support. This upgrade allows IT managers to achieve the benefits listed here 
without interruption and there is no change in the way businesses run today. 

This software-based enhancement of directory support adds to the already successful hardware-based 
iLO, RILOE, and RILOE II remote management products. In upcoming sections, we provide insight into 
how the remote management products interact with the directory, the directory model HP utilizes, user 
authentication and authorization, and the setup environment. However, first we briefly discuss high- 
level descriptions of the directory architecture and its organization. 

Directory architecture 

The nature of directories provides multiple ways to view and manipulate the diverse resources of the 
enterprise. The next few sections describe the overall structural design of directories so you can 
understand the value of the HP remote management products and how they work in a directory- 
enabled enterprise. 

Overview 

A directory is an extensible, distributed, and replicated database, which is hierarchical in structure 
that stores information about business resources as objects. Objects include shared resources such as 
servers, shared volumes, and printers; network user and computer accounts; as well as domains, 
applications, services, security policies, and just about everything else in your business. For example, 
directory services might store specific information about a user, such as the user's name, password, 
email address, phone number and so on. 

Since the directory is stored and replicated on servers throughout the network, this creates a powerful 
infrastructure where dissimilar operating systems and applications can interoperate by leveraging the 
directory. 

Objects 

Objects are the entities that make up a directory. An object is a distinct, named set of attributes that 
represent something concrete, such as a user, a printer, or an application. The attributes of each 
object describe the features of that object. For example, when an administrator creates a user they 
may define the attributes that describe the user, such as name, surname, address, phone number, etc. 
In the same way, when an administrator creates a device object, such as a management processor, 
the administrator will provide attribute information specific to that object. 
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Schema 



The schema is a description of the object classes (the various types of objects) and the attributes for 
those object classes. In other words, the schema is a set of rules that define the directory (in terms of 
tree structure), object types, object attributes, and relationships. 

These rules are stored in a data dictionary that determines the types of data that can be created. The 
data dictionary defines object classes and attributes. The directory's initial set of object classes and 
attributes is called the base schema. 

Even though the base schema is the initial starting point of object classes and attributes in the 
directory, it does not define all of the objects that can be stored within the directory. One powerful 
aspect of most enterprise-class directories is the ability to create new object classes and attributes by 
extending the schema. Thus, applications can create objects to represent any device, such as a RILOE 
II card, within the enterprise directory by defining that device in terms of object classes and attributes 
within the schema. 

Extending the schema 

Schema extensions are a necessary and important part of many directory-enabled applications in the 
market today. In most directory services, the base schema is insufficient to store critical application 
data. Directory-enabled applications use schema extensions to expand the definition of the base 
schema so that the directory service can accommodate the new data the application would like to 
store. 

The Schema Installer, bundled with the directory-enabled remote management installation software, 
will extend the base schema of the directory service. These schema extensions are necessary to 
enable role-based management and store information about each remote management processor. 

For your convenience and pre-implementation review purposes, HP provides a complete listing of the 
directory schema extensions that will be made to your directory in the HP Directory Services Schema 
Information Booklet. 

Role-based management 

HP directory-enabled management products use Lightweight Directory Access Protocol (LDAP) 
standards-based directory servers for authentication and authorization. A simple yet powerful and 
flexible role-based authorization model determines users' rights. 

Administrators create roles that associate existing users and groups with managed targets like iLO, 
RILOE, and RILOE II. A role grants its members specific rights to all of its managed targets. Roles can 
manage multiple targets, and users can be members of multiple roles; each role granting those users 
additional rights to all the targets the role manages. Roles can also be limited with the Domain Name 
System or Service (DNS) name, IP address, or time restrictions, only granting rights to users that satisfy 
the restrictions. Complex rights relationships not possible in the non-directory case can be expressed 
with just a few roles; more common rights relationships can be expressed with a single role object. 
Administrators can use role objects to create rights relationships that reflect the responsibilities of 
persons in the organization with a minimum number of role objects. 

Using role-based management also decreases ongoing maintenance efforts. When an administrator 
adds a new user or managed target like iLO, RILOE, and RILOE II, they can simply add it to the 
appropriate roles. Managing rights is also easy. Changing the rights assigned by a single role affects 
all the users and managed targets associated with that role, without the need to update any of the 
managed targets or users. All directory user rights management happens in the directory, eliminating 
the need to browse to and update every device when a user's rights change. Changes take effect as 
soon as they are made in the directory. There is no need to reboot devices or wait until users log out. 



Directory-enabled features of HP management products allow a single administrator to manage 
complex rights relationships easily between tens of thousands of users and devices. Figure 1 shows an 
example of a directory service interacting with role and device objects along with directory users and 
groups. 



Figure 1: Elements of a directory service 




• Role Objects define rights granted to a particular set of users by associating Users/Groups with 
Lights-Out device objects. 

• Directory Users & Groups define the existing or newly created users and groups in a directory 
service. These are the user accounts with which customers use to login to the directory service. The 
same account can be used for network, e-mail and Lights-Out management access. The standard 
tools provided with your directory service manage User and Group objects. 

• Lights-Out Management (LOM) Device Objects are device objects that should exist for every Lights- 
Out management processor on the network. Associating a LOM device object to a LOM role object 
enables the Users/Groups associated with the LOM role object to manage that Lights-Out 
management processor 

Enhancing directory value 

• Directory-enabled remote management, a key element to a successful adaptive infrastructure, offers 
IT administrators the ability to establish and maintain required levels of availability and security 
throughout the infrastructure. By using HP remote management products, administrators can easily 
and efficiently ensure their servers are always available giving their business a competitive edge. 
Directory-enabled remote management increases the efficiency of IT administrators and allows them 
to do more with fewer resources. 

• Envision an enterprise in which there are hundreds of directory-enabled devices like iLO, RILOE, 
and RILOE II. By combining the directory-enabled devices with an adaptive infrastructure and using 
virtual presence technology with automated tools, IT managers can improve their efficiency by 
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easily updating and maintaining the user information on multiple remote management option 
devices via directory services. 

• For more information on HP's Adaptive Infrastructure strategy, visit the HP website at 

www.hp.com/servers/ai . 

Remote management processors using directory support 

Today iLO, RILOE, and RILOE II are the first products of their kind to provide directory services 
integration from the HP Insight Management suite of products. Using either Microsoft Active Directory 
or Novell eDirectory, IT administrators can authenticate user access and authorize user privileges to 
any management processor (iLO, RILOE, and/or RILOE II) deployed throughout the IT environment. 

This integration with directory services improves management efficiency by allowing IT personnel to 
configure and manage their remote management user accounts in a central, scalable database. HP 
provides an easy and reliable installation program that installs a management console snap-in and 
extends the customer's existing directory schema to enable directory support on iLO, RILOE, and 
RILOE II. Bundled with these installation programs, HP has created two new migration utilities that 
automate upgrading the firmware, configuring objects, and assigning rights to that object for all of 
the management processors in the directory. These utilities replace the manual process of building 
associations between Lights-Out Management objects in the directory 

Required software 

Each management processor requires specific software for directory service support. The software, an 
HP Smart Component, contains the following pieces and is available for download from the HP 
website a www.hp.com/ servers/liqhts-out : 

• Schema Installer extends the schema. 

• Management Snap-in Installer provides snap-ins to manage the remote MP device objects in an 
existing directory-enabled IT environment. 

• Two Migration Utilities (HPQLOMIG.EXE and HPQLOMGC.EXE) allow users to deploy and/or 
upgrade the MPs in their enterprise. 

- HPQLOMIG offers a Graphical User Interface (GUI) where users can manage large amounts of 
management processors in a directory-enabled environment. 

- HPQLOMGC runs unattended with a command line interface and is used in conjunction with 
Insight Manager 7. 



IMPORTANT 

You must download and install the HP Smart Component before you can 
use the directory-enabled features of the management processor. 



In addition to the software contained in the HP Smart Component, each management processor 
requires a minimum firmware version to support directory services. If any management processor 
requires upgrading, download the necessary version from the HP website at 
www.hp.com/ servers/lights-out . 
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Table 1 includes the minimum firmware version required for directory support. 
Table 1: Minimum Firmware Versions Needed for Directory Support 



Management processor 


Minimum firmware version 


Date 


iLO 


1.40 


July 2003 


RILOE 


2.50 


June 2003 


RILOE II 


1.10 


June 2003 



Implementing Lights-Out Management directory services support 

Today, IT professionals can manage numerous management processors by running XML scripts. The 
scripts help upgrade the firmware and configure the management processors, but the steps taken to 
achieve this process are not streamlined. The HP migration utilities eliminate the need for an IT 
administrator to configure (manually) the directory service to have the appropriate objects and 
relationships for iLO, RILOE, and RILOE II. 

Here are the steps necessary to directory-enable any management processors currently deployed. 
Planning 

1. Download and review the HP Directory Services Schema Information Booklet and the Directory 
Services section of the User Guide for the iLO, RILOE or RILOE II products. 

Installation 

2. Download the HP Smart Component containing the schema installer, the management snap-in 
installer, and the migration utilities. 

3. Run the schema installer program once to extend the schema. 

4. Run the management snap-in installer program and land the appropriate snap-in for your directory 
service on one or more management workstations. 

Firmware Setup 

5. Flash the ROM on the management processor (iLO, RILOE, or RILOE II) with the directory-enabled 
firmware. Refer to Table 1 for the firmware version needed to provide directory support. 

6. Set directory server settings and the distinguished name of the management processor objects on 
the Directory Settings page in the GUI of the iLO, RILOE, or RILOE II products. 

Management 

7. Create a management device object and a role object by using the snap-in. 

8. Assign rights to the role object, as necessary, and associate the role with the management device 
object. 

9. Add users to the role object. 

Using the current deployment method, IT managers must complete steps 4 through 8 manually. This 
time-consuming process does not scale well for configuring numerous management processors. The 
HP migration utilities (HPQLOMIG.EXE and HPQLOMGC.EXE) automate this process and are 
available in conjunction with the new firmware versions offering directory support (shown in Table 1). 
To download the HP Smart Component containing the management snap-in, the schema installer, and 
the migration utilities, go to the HP website at www.hp.com/servers/lights-out . 
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New migration tools 

HP offers two new software migration tools to assist you in enabling directory support on all of the 
remote management products (iLO/RILOE/RILOE II) in the IT environment. HP calls these utilities 
HPQLOMIG and HPQLOMGC. 

HPQLOMIG.EXE, stands for HP Lights-Out Migration and comes with a graphical user interface (GUI) 
providing the user with a wizard approach to implementing or upgrading large amounts of 
management processors in the enterprise. The second utility, HPQLOMGC.EXE, is an abbreviation of 
HP Lights-Out Migration Command and offers a command line approach; therefore, it does not 
present a user interface and runs unattended. This utility works in conjunction with Insight Manager 7 
Application Launch. Both utilities automate the process of directory enabling the ProLiant remote 
management products and, for security, use a SSL connection to communicate with the management 
processors in your IT environment. 

For more information on these migration tools, see the HP Directory Migration Utility User Guide 
available on the HP website at www.hp.com/ servers/light-out . 

Operating system support 

The HP directory-enabled remote management products currently support Microsoft Active Directory 
running on Windows® 2000 and Windows Server 2003 in addition to Novell eDirectory running on 
Windows® 2000, NetWare 6, or Red Hat Linux 7.2/7.3. 

To extend the advantages of the HP remote management technology to Linux customers, HP is adding 
support in RILOE II cards (firmware version 1.10 and later) and iLO (firmware versions 1 .40 and 
later) for Red Hat Linux and SuSE Linux client operating systems. Administrators can access RILOE II 
and iLO from a Mozilla or Netscape Navigator browser interface running on a Linux client operating 
system. 

Future direction 

HP currently offers a robust suite of management products offering remote manageability of ProLiant 
servers. 

HP plans to continue to improve the value proposition of ProLiant servers through Directory-Enabled 
Management. In the future, HP plans to add more directory-enabled features and products. 
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Glossary 



This glossary provides an alphabetical listing of products and new industry technology terms with 
detailed descriptions for each entry. 



class 

Domain Name System or Service (DNS) 

directory 
distributed 

extensible 
HPQLOMGC.EXE 

HPQLOMIG.EXE 
Integrated Lights-Out (iLO) 



Lightweight Directory Access Protocol 
(LDAP) 

migration utilities 



management processor 



object 



Remote Insight Lights-Out Edition 
(RILOE) 



A data definition of an entity (object) that can be created in 
the directory service. For example, a user is a class. 

An Internet service that translates domain names into IP 
addresses. For example, the domain name 
www.example.com might translate to 198.105.232.4. 

A distributed and replicated database that represents an 
organization from a hierarchical viewpoint. 

In terms of a directory, distributed means that the 
information contained within the directory is available from 
multiple directory service agents on the network. 

The ability to customize (or extend) the directory's schema to 
fit your enterprise. 

The command line version of the HP software migration 
utility used to automate the process of directory enabling the 
ProLiant management processors in an IT environment. 

The graphical "wizard-like" version of the HP software 
migration utility used to automate the process of directory 
enabling the ProLiant management processors in an IT 
environment. 

Consists of an intelligent processor and firmware providing 
standard and advanced levels of Lights-Out functionality. 
Basic system card management functions, diagnostics and 
essential functionality are provided as standard components 
of the server. Advanced functionality consists of a virtual 
graphical console, virtual media, and directory support. 

An industry-standard protocol for accessing X.500 standard 
directory services. LDAP is a standard derived from DAP 
(Directory Access Protocol). 

Software migration tools, HPQLOMIG.EXE and 
HPQLOMGC.EXE, used to automate the process of directory 
enabling the ProLiant management processors in an IT 
environment. 

A reference used in this document referring to all three 
remote : iLO, RILOE, and RILOE II. 

An entity instantiated in the directory. Each object consists of 
properties and the values for the properties and is derived 
from a class. 

A remote management tool that provides cost-effective 
remote server management in corporate data centers and 
remote sites. 
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Remote Insight Lights-Out Edition 
(RILOE) II 

Security Sockets Layer (SSL) 



schema 



tree 



A remote management tool that allows browser access to 
ProLiant servers through a seamless, hardware-based, OS- 
independent graphical remote console. 

A protocol designed to provide encrypted communications 
on a network. SSL works by using a key-based cipher to 
encrypt data that is transferred over the SSL connection. 

The data definition of each entity within the directory. A 
schema is a set of rules that define the directory in terms of 
tree structure, object types, attributes, and relationships. 
These rules are stored in a data dictionary that determines 
the types of data that can be stored. The base schema is the 
initial starting point of object classes and attributes in the 
directory. 

A hierarchical structure of objects in the directory database. 
The tree includes container and leaf objects that represent 
resources and help to organize the tree. 
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For more information 

To learn more about the HP Insight Management Suite, visit www.hp.com/servers/manaqe . 
To learn more about HP products, visit our website at www.hp.com. 
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© 2003 Hewlett-Packard Development Company, L.P. The information 
contained herein is subject to change without notice. The only warranties for 
HP products and services are set forth in the express warranty statements 
accompanying such products and services. Nothing herein should be construed 
as constituting an additional warranty. HP shall not be liable for technical or 
editorial errors or omissions contained herein. 

Microsoft, Windows, and Windows NT are registered trademarks of Microsoft 
Corporation. 

Document Number TC030601 WP, 06/2003 



